Nick Howitt wrote:

What do you use the box for?

To be honest, without setting up users I am not sure how you can give another user restricted access. Perhaps the ClearOS Administrators app will accept non-root users. Why not set up a test box to find out? Have you set up any classic Unix users at all or is the box currently root access only?

The main purpose for this COS is to be a gateway, providing fault tolerance and balancing for 2 Internet connections. Now, it's working with only one ISP, but the idea is to have 2 (again) in a near future.

I have to find some hours to try what you have suggested. It will be nesessary to provide a basic user with a reboot tool because I'm an external supplier. If I'm not there and the one and only internet connection is down, besides some basic stuff that a user inside can try, I don't have a way to reboot it remotely. The only remaining option is to reset de host, thus, reseting also both VMs hosted there.

Many thanks for your comments.

What do you use the box for?

To be honest, without setting up users I am not sure how you can give another user restricted access. Perhaps the ClearOS Administrators app will accept non-root users. Why not set up a test box to find out? Have you set up any classic Unix users at all or is the box currently root access only?

Nick Howitt wrote:

If you want users, in a small office and don't have or want an AD server, go for OpenLDAP . You must have one of the three in order to set up users in the ClearOS model. Keep clear of Samba Directory as it is giving issues and is only a Beta product. Windows Networking (Samba) is fine but servers a completely different purpose - mainly file serving (flexshares) but also a bit of authentication.

In a small office, if you install Windows Networking, consider if you want a Domain or just simple file serving. It defaults to domain but I use simple file serving at home. No one has to log onto their PC's. If you want peole to log in, go down the domain route.

Also please go to Certificate Manager and initialise your server certificate.

Certificate done.

I have to confess that I'm a little "afraid" of installing OpenLDAP in this box. Moreover, because they don't need it. I just need to provide my client an easy way to reboot COS sometimes. Is there another way to allow a basic user to reboot it?

This is a virtualized COS. In the begining, it was installed bare metal. One day, COS just stoped resolving dns queries. I never knew why. So, after a whole day of reading this forum and tampering the box, I decided to reinstall and virtualize it, because it was easier to restore to a previous state. I don't like to rollback the box to a previous snapshot, but sometimes, this is the best solution.

If you want users, in a small office and don't have or want an AD server, go for OpenLDAP . You must have one of the three in order to set up users in the ClearOS model. Keep clear of Samba Directory as it is giving issues and is only a Beta product. Windows Networking (Samba) is fine but servers a completely different purpose - mainly file serving (flexshares) but also a bit of authentication.

In a small office, if you install Windows Networking, consider if you want a Domain or just simple file serving. It defaults to domain but I use simple file serving at home. No one has to log onto their PC's. If you want peole to log in, go down the domain route.

Also please go to Certificate Manager and initialise your server certificate.

Thank you Nick.

I just didn't know that app. I've already installed, but the menu option shows me a page asking for install OpenLDAP, SAMBA or AD connector. Is this mandatory? This is a small office, they don't have AD nor other directory. I've installed once SAMBA, but some options didn't work anymore, showing a text like "Ooooops .... You need a stronger auth....." (or something like that).

What do you suggest as the better choice?

All users you add are Webconfig users. Have you seen the Administrators app in the Marketplace?

Hi.

This is an old post but my question is related.

I just need to give a user the ability to reboot the COS thru an option in dashboard (I consider this secure).

According to this procedure, the access_control file would have:

subadmin=/app/dashboard.

But, how do I add a new webconfig user? A system (OS) user would be ok?

Thanks.

Cool, working FINE

Thanks

No, /app did not work. It seems all apps has to be listed :-(

but i found that Zarafa Small Business is /app/zarafa_small_business

Thanks

Sven

Perhaps the following works?

username = /app

Memory and load report is /app/resource_reports

Hi,
This works but is not really userfriendly.

Is there a way to give a subadmin access to everything?

I am currently not able to gain access to Memory and System load reports. What are the name of those apps?


/Sven

excellent! Thanks a bunch.

Just a clarification (took me two goes to get it right... RTFM!!! :silly: )

example:

username1 =  /app/date, /app/content-filter, /app/reports

username2 =  /app/date, /app/content-filter

Works perfectly - many thanks

awesome, I really need this - needed to give the principal of a school ability to add/remove students and manage passwords.

thanks a bunch it works a treat

Wow. Thanks for such a detailed answer. I'll try and implement it tomorrow or Monday. Thanks.

Just a little technical note on why this is problematic in the 6.x architecture. With 6.x we implemented the best practice of group based rights across the board. We also adopted the paradigm that multiple servers should be able to exist on the same network. The problem that arises then is the separation of rights and the ability to make an administrator exist on one machine but not the other. We know HOW to address this but there is a fair amount of programming to make this happen.

As you can see from Ben's post, the framework for administration exists but we need to get the app built.

Upcoming task is to make sub-admins part of the LDAP d accounts in 6.

Until then, to give a user you have created sub-admin access:

Create the file:

/var/clearos/base/access_control/custom/access_control

With the format:

username = ... list of allowed urls .. Example bob = /app/date, /app/content-filter

Here is a full list of apps as of today.

/app/reports, /app/multiwan, /app/accounts, /app/php, /app/software_updates, /app/base, /app/certificate_manager, /app/ bandwidth_viewer, /app/devel, /app/marketplace, /app/print_server, /app/mail_notification, /app/web_proxy, /app/mail_archive, /app/ network_visualiser, /app/port_forwarding, /app/wireless, /app/smtp_plugin, /app/system_database, /app/mail_antispam, /app/ mail_antivirus, /app/print_server_plugin, /app/ntp, /app/ssh_server, /app/tiki_wiki, /app/account_import, /app/backuppc, /app/ registration, /app/proxy_report, /app/edition, /app/mail_report, /app/imap_plugin, /app/imap, /app/mail_extension, /app/ software_repository, /app/clearsync, /app/openvpn_plugin, /app/user_certificates, /app/suva, /app/user_certificates_plugin, /app/ clearcenter, /app/log_viewer, /app/dashboard, /app/web_server, /app/mail, /app/mail_quarantine, /app/mail_routing, /app/ mail_settings, /app/netatalk, /app/mobile_demo, /app/mail_filter, /app/dhcp, /app/egress_firewall, /app/nat_firewall, /app/ content_filter, /app/groups, /app/flexshare, /app/mysql, /app/dmz, /app/antiphishing, /app/antivirus, /app/bandwidth, /app/ configuration_backup, /app/contact_extension, /app/date, /app/disk_usage, /app/dns, /app/file_scan, /app/firewall, /app/ firewall_custom, /app/ftp, /app/ftp_plugin, /app/graphical_console, /app/greylisting, /app/incoming_firewall, /app/intrusion_detection, / app/intrusion_prevention, /app/intrusion_protection_report, /app/kolab_directory_extension, /app/language, /app/ldap, /app/mode, / app/network, /app/openldap, /app/openldap_directory, /app/openvpn, /app/organization, /app/password_policies, /app/pbx, /app/ pptpd, /app/pptpd_plugin, /app/process_viewer, /app/protocol_filter, /app/radius, /app/raid, /app/samba, /app/samba_extension, / app/samba_file_extension, /app/shell_extension, /app/simple_mode, /app/smtp, /app/storage, /app/system_applications, /app/ system_services, /app/tasks, /app/user_profile, /app/users, /app/web_access_control, /app/web_proxy_plugin, /app/zarafa_extension, / app/verified_updates, /app/kaspersky_mail, /app/zarafa, /app/zarafa_community, /app/zarafa_professional, /app/zarafa_small_business/app/antispam_updates, /app/remote_backup, /app/security_audit, /app/active_directory, /app/dynamic_vpn, /app/ antimalware_updates, /app/content_filter_updates, /app/intrusion_protection_updates, /app/system_monitor, /app/clearbox300, /app/ account_synchronization, /app/central_management, /app/clearcenter, /app/marketplace, /app/registration, /app/suva, /app/ dynamic_dns, /app/google_apps, /app/kaspersky_file, /app/kaspersky_gateway

B

Sorry I don't know

http://www.clearfoundation.com/docs/release_info/clearos_community_6.3.0/final_release_information

The Administrators app does not fit into the group-based policy engine in ClearOS 6. The underlying mechanism that existed in ClearOS 5 has been ported to version 6, but it requires command line configuration.